Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of January 2018

New Detection Technique – MuddyWater APT

Attackers known as MuddyWater are behind attacks primarily targeting organisations in the Middle East that were spread during 2017. The attacks continue, and often involve a PowerShell-based first stage backdoor, called POWERSTATS, for which we have added new detection signatures recently.

POWERSTATS evolved recently to include new infection payloads. The initial trojan infection is generally dropped directly from macros in malicious Microsoft Word documents. The macro drops a PowerShell script and a VBS script onto the system, which upon execution, access a malicious IP server via HTTP GET requests, allowing the attacker backdoor access to the victim's machine. Other recent changes include additional code obfuscation, anti-sandbox, and anti-analysis features.

Patterns shared among versions of this attack include PowerShell backdoors, shared attributes of the malicious documents used, shared C&C infrastructure, and shared attributes as to how documents are delivered.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, MuddyWater APT

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

System Compromise, Trojan infection, Agent.ZGL

System Compromise, Trojan infection, Axtrit.BR

System Compromise, Trojan infection, Derkziel

System Compromise, Trojan infection, Fake Twitch

System Compromise, Trojan infection, Kuriyama

System Compromise, Trojan infection, Mishkaio

System Compromise, Trojan infection, POWERSTATS

System Compromise, Trojan infection, SchwSonne

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

Evrial is a trojan designed to steal cryptocurrency information by changing payment addresses copied from the Windows clipboard. It was found in the wild in early 2018. It is available for sale from criminal forums on the dark web.

Evrial searches for certain types of strings, corresponding to crypto wallet information and online payments, and replaces them with other values configured by the attacker. This allows attackers to reroute cryptocurrency payments to the address under their control. The trojan also connects to a malicious PHP server where it sends the stolen cryptocurrency. It can be configured to alter Bitcoin, Litecoin, Monero, WebMoney, and Qiwi addresses.

Apart from this, it can also perform regular trojan activities, such as steal stored password from browsers, cookies, documents, or take a screenshot of the active window.

GlobeImposter is a ransomware that emulates the Globe ransomware variant. It was discovered in the wild in mid-2017. It has recently been observed in new campaigns of cryptocurrency payments redirection, together with malicious Tor proxies.

The attack consists of altering the payment wallet identificator shown to the victim during the ransomware payment process. Ransomware victims often access the ransomware payment pages using a Tor proxy instead of the Tor Browser, since not all of them have this browser installed. Tor proxies are regular websites that translate Tor traffic into normal web traffic, so it can be displayed in a regular browser. The malware infects Tor proxies to detect typical crypto wallets used for ransomware payments, and replaces the identificator with another provided by the attacker. When the same site is opened using the Tor Browser instead of Tor proxies, the correct Bitcoin payment address appears. GlobeImposter urges users to apply for Tor Browser during ransomware payment, so the amount is not diverged.

Attackers have successfully diverted an amount of 1.97 BTC so far, identified by tracking the known crypto wallet addresses.